We've configured SPF, DKIM and DMARC records for our domain and they're working fine. Our DMARC reports from Gmail, Hotmail, Yahoo also confirm the same.
However, just last week, one of our (Gmail) users brought to our attention a fraudulent email sent from a spoofed email address on our domain.
After looking at the email headers, we realised Gmail didn't initiate a DMARC check at all and the email landed in user's inbox. Gmail had only performed an SPF check which had passed because the check was performed on the envelop FROM header domain.
The email header (with identifying details redacted) looked like the following:
Delivered-To: [email protected]
Received: by 10.28.167.23 with SMTP id q23csp326872wme;
Mon, 20 Feb 2017 23:53:04 -0800 (PST)
X-Received: by 10.36.147.1 with SMTP id y1mr22192213itd.34.1487663583976;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Return-Path: <[email protected]>
Received: from server2.fraudulentdomain.net (server2.fraudulentdomain.net. [144.X.Y.Z])
by mx.google.com with ESMTP id i196si19658513ioi.78.2017.02.20.23.53.03
for <[email protected]>;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 144.X.Y.Z as permitted sender) client-ip=144.X.Y.Z;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 144.X.Y.Z as permitted sender) [email protected]
Received: by server2.fraudulentdomain.net (Postfix, from userid 330)
id 385716C165; Tue, 21 Feb 2017 08:53:03 +0100 (CET)
To: [email protected]
Subject: Some Subject
From: My Service <[email protected]>,
"MIME-Version:1.0"@server2.fraudulentdomain.net
Content-type: text/html; charset=iso-8859-1
Message-Id: <[email protected]>
Date: Tue, 21 Feb 2017 08:53:03 +0100 (CET)
Why did Gmail not initiate a DMARC check and just performed an SPF check? Is it got to do something with the Display FROM header having 2 values?
